Email Security Suites

EDITOR'S NOTE: The Buyer's Guide summarizes vendor-submitted information. To find out about future Buyer's Guide topics or to learn how to include your product in an upcoming Buyer's Guide, go to http://www.winnetmag.com/buyersguide.

The enterprise is experiencing an email security crisis. Spam now constitutes more than 50 percent of all email, and one in every 30 email messages contains a computer worm or virus. Apart from the real damage these scourges can do, they eat up CPU resources, deplete bandwidth, take up disk space, and waste our time. Even as governments pass laws to prevent spam and punish malicious code writers, the problem is worsening, and no one expects it to get better any time soon. Protecting and reclaiming email servers from this onslaught should be a top priority for every network administrator.

This Buyer's Guide looks at email security suites that offer spam blocking, antivirus scanning, and content filtering. All the products run on or support Windows 2000 or later.

All-in-One Security Solutions
Only in the past few years have vendors offered all-in-one email security solutions that include antivirus scanning, spam blocking, and content filtering. Today's email security suites offer the following areas of functionality:

real-time scanning or analysis

detection-signature databases

quarantine management

heuristic analysis to recognize previously undefined threats

ability to work across one or more protocols or ports

centralized management, monitoring, and reporting

daily or frequent updates of detection signatures

end-user notification of blocked activity

high accuracy

minimization of false-positives and false-negatives

24 x 7 technical support

Security Trends
In addition to the convergence of these three primary email security technologies, other trends are emerging. First, most products are becoming policy driven, letting you more easily tie written security policies to configured security settings. Second, several vendors are offering Digital Rights Management (DRM) functionality to control the internal content that end users send to external networks. DRM controls are likely to become one of the fastest-growing areas in email and network security over the next year. Third, vendors are increasingly using preshared private keys or digital certificates to encrypt email. Fourth, vendors are offering more hardware appliances, often because the email security system runs some form of Linux or because a separate appliance can speed throughput. Fifth, in response to high-profile business disasters and new regulatory-compliance laws, some vendors are starting to support email archiving and automatic insertion of legal disclaimers in email messages.

Installation Approaches
Where you install these products in your environment depends on the vendor and product. Some products install at the network perimeter, intercepting email and other Internet content before it arrives at the email server. Other products install right on the email server or on an adjunct server that has a direct connection to the email server's messaging database. A few products install on the client desktop, intercepting email between the server and the user's email client. Each strategy has its strengths and weaknesses, depending on your operational requirements and comfort level. Perimeter solutions can work with almost any email server, whereas a server-installed solution must be specifically written for that server. The decentralized nature of client-side programs is a big disadvantage for many administrators but might be the only way to ensure complete compliance if end users are allowed to retrieve email without directly accessing the company's email server (e.g., through Web-based email accounts, POP3 accounts, or peer-to-peer—P2P—and Instant Messaging—IM—solutions).

Antivirus Scanning
One important consideration in choosing a product is how it performs antivirus scanning. Only about half of the currently available email security products actually scan files; the other half simply block file attachments by extension name or by looking at MIME types. Assuming the product scans for viruses, which scanning engine does it use? If the company doesn't have years of demonstrated experience in antivirus scanning, its products should use a well-known third-party engine. To improve scanning accuracy, some vendors let you install more than one antivirus engine. Does the product look for and analyze embedded email content, such as ActiveX controls, Java applets, and scripts? Does it open embedded email links to scan remotely delivered content? Does it scan archive file types such as .tar and .zip files? Does it block cookies, spyware, and Web bots? A good email antivirus engine performs all these functions.

As a side note, if your email antivirus scanner sends autoreplies back to infected senders to warn them that they're infected, turn off that function. Almost all email viruses and worms forge the sender's address, making autoreplies almost useless.

Spam Blocking
How accurately does the product stop spam while allowing legitimate email? Most vendors claim a 98 percent or higher accuracy rate. However, such claims are questionable, and even a 98 percent accuracy rate lets a lot of spam through. Is the vendor's accuracy rating determined by false positives or false negatives? Which technologies does the product use to block spam? The best spam-blocking products use a combination of automated analytical tools and are supported by a team of people who perform ongoing spam research. The following are common spam-blocking methods:

keyword scanning

spoofed sender address checking

pornography-recognition engines

message-text hashing to recognize common spam wording

internal and external blacklists

real-time blacklist sites

whitelists

sender-address or domain blocking

message-header verification

reverse DNS lookup

antirelaying technology

Content Filtering
Content filtering is a two-way street: You need to prevent end users from downloading unauthorized Web site content and from emailing content that could expose the company to unnecessary business risk. How does the product block content—by domain, IP address, keyword, or Web site category? Does the product come with default content filters, and if so, can you modify them and create customized filters? Can the filters normalize data to remove extraneous spaces and characters that spammers commonly use before running the content against a rule set? Can it prevent end users from using anonymous proxy Web sites to circumvent the filters? Does it scan for content on ports and protocols other than those used for email or HTTP?

Global Considerations
When choosing a spam-blocking product, you need to consider the following. Which email servers and services does the product support (e.g., Lotus Domino, Microsoft Exchange Server, Novell GroupWise, SMTP)? Does it support FTP, HTML, IMAP, Network News Transfer Protocol (NNTP), POP, Remote Storage Service (RSS), and UNIX-to-UNIX Copy (UUCP)? Does the product have Lightweight Directory Access Protocol (LDAP) support so that you can use directory namespaces like Active Directory (AD) to authorize and authenticate content? Can it control or monitor content that comes across IM or P2P platforms? Is the solution a hardware appliance, software product, or Web service? If your company needs fault tolerance, does the product support load-balancing or failover capabilities? Which functions does the base product include, and which modules cost extra?

Making Your Decision
As you can see, you have a lot of things to consider when you're thinking about purchasing an email security suite. The best advice is to try a product before you buy it. Take a look at the functionality of each solution on your short list, read the available literature, and install the product in a test lab to determine whether it meets the needs of your environment.